Date: Thu, 23 Dec 2010 20:26:03 +0100 From: Johannes Stezenbach <js@...21.net> To: Nicolas Sebrecht <nicolas.s-dev@...oste.net> Cc: Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>, oss-security <oss-security@...ts.openwall.com>, david b <db.pub.mail@...il.com>, Christoph Höger <choeger@...tu-berlin.de>, John Goerzen <jgoerzen@...plete.org> Subject: Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol On Thu, Dec 23, 2010 at 07:55:50PM +0100, Nicolas Sebrecht wrote: > On Thu, Dec 23, 2010 at 03:43:40PM +0100, Jan Lieskovsky wrote: > > > > II), Allows SSLv2 protocol ... > >  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606962 Please note that I reported this issue for the python2.6 package and not for the offlineimap package. While I noticed it with offlineimap, I think the bug is either in Python or in openssl. According to Python documentation it should default to use SSLv3. OTOH it wouldn't hurt if offlineimap would allow the user to specify the protocol version (TLSv1, SSLv3, SSLv2). Thanks Johannes
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.